Pre-processing of nat addresses

ABSTRACT

A method for packet-oriented transmission of speech, audio, video and/or useful data between an internal and a public data network by means of a pre-reservation of NAT addresses. A pre-NAT address is allocated to the IP address of an internal computer by an NAT address server. The relevant allocation data set is available in a NAT host  200  which acts as a gateway between the internal and the public data network; whereby single addresses (pre-NAT addresses) are provided for transparent use of the data packet in the internal and public network when the information on the origin or destination in an IP Header or in the protocol data, in addition to the information on origin or destination in said header, is modified.

CROSS REFERENCE TO RELATED APPLICATIONS

[0001] This application is the US National Stage of InternationalApplication No. PCT/DE02/02840, filed Aug. 1, 2002 and claims thebenefit thereof. The International Application claim the benefits ofGerman application No. 10142500.7 filed Aug. 30, 2001, both of theapplications are incorporated by reference herein in their entirety.

FIELD OF INVENTION

[0002] The invention relates to a method according to the preamble ofclaim 1 and to an arrangement for carrying out the method according tothe preamble of claim 4.

BACKGROUND OF INVENTION

[0003] Methods of the type in question are nowadays widely used for thetransmission of speech, audio, video and/or useful data across networkboundaries, e.g. between internal and public data networks. During thetransmission of data over IP networks, problems repeatedly arise when anaddress translation is performed at a network boundary using NAT(Network Address Translation). For various reasons, NAT is of crucialimportance for Internet technology here. In addition to providing loaddistribution in parallel processing, various types of access securityprovisions in the sense of a firewall as well as fault tolerance andhigh availability are supported. Basic network administration functionsare also simplified.

[0004] Since the address space provided at the time the Internet wasfounded will no longer suffice for the assignment of IP (IP: InternetProtocol) addresses in the foreseeable future, and especially since theexpansion of internal and highly complex data networks requires more andmore IP addresses, NAT is however used above all to hide internally usedIP addresses from the outside. Firstly this makes it easier to manageinternal networks, and secondly it saves on costs, since fewerchargeable public IP addresses need be used externally than are actuallyrequired internally. In principle it is theoretically possible here tomap an internal network of up to 60,000 computers to a single public IPaddress by varying the port address of the public IP address.

[0005] With NAT, when an IP data packet is sent, first of all the IPheader of this packet is exchanged. The internal IP address includingport number is replaced by a public IP address with a different portnumber. An NAT host stores the mapping of internal IP address to thepublic (external) IP address. If the NAT host then receives an IP datapacket, it maps the public (external) IP address back onto the internalIP address. The NAT host should be understood here as a computer linkingtwo networks together on which appropriate software (NAT engine) handlesthe address translation.

[0006] It is however a problem that some IP protocols also send theinternal IP addresses again as protocol data (e.g. with Voice-over-IPprotocols). At the NAT host only the IP headers of a data packet areexchanged, the protocol data itself is not accessed, since it cannot beresolved by the NAT host. The addressed external computer in the publicnetwork now sends its reply, not to the public address in the IP headerof the data packet, but to the internal IP address which the serviceused (e.g. Voice-over-IP) has read out from the protocol data. However,the original sender cannot be reached under this address. The reply istherefore sent either to an unknown IP address or to a different publiccomputer which is unable to do anything with this IP data packet.

[0007] The problem described here has hitherto not been solved. Therehave been isolated attempts to use directly on the NAT host a protocolanalyzer which is able to unpack certain protocols and also, in additionto the IP header, to change here the protocol data in accordance withthe NAT mapping. However, this regular access to protocol data togetherwith its analysis would slow down the data traffic considerably.Moreover, depending on the protocol type used, it might prove necessaryto use not just one, but several protocol analyzers. The problem couldbe solved in future by IPv6 (Internet Protocol Version 6—with extendedIP address space), but IPv6 will not be implemented across the board fora long time to come. Owing to the greatly increased interest ofcompanies in Internet telephony and in exchanging image and useful data,however, a speedy and reliable solution of the problem outlined isrequired.

SUMMARY OF INVENTION

[0008] The object of the present invention is to provide a method which,while retaining existing NAT configurations, enables the establishmentof transparent connections for more complex protocols (speech, audio,video and/or useful data) via an NAT host.

[0009] It is a further object of the present invention to provide anarrangement for carrying out the method according to the invention.

[0010] One central idea of the method according to the invention is tosupport on the one side more complex protocols (e.g. Voice-over-IP) toan unchanged extent in such a way that the problems with the addressingof computers in the public IP network which arise solely as a result ofusing NAT are solved. This is enabled in the packet-orientedtransmission of speech, audio, video and/or useful data between aninternal and a public data network by a pre-reservation of NATaddresses, whereby first of all a request of an internal computer issent to an NAT address server to provide a pre-NAT address for an IPaddress of the internal computer. Said pre-NAT address for the IPaddress of the internal computer is allocated by the NAT address server.The current allocation data set between the pre-NAT address and the IPaddress of the internal computer is finally sent by the NAT addressserver to an NAT host. The current allocation data set for modifying theorigin or destination specifications in the header of a data packet (IPheader) is therefore present at the NAT host acting as the gatewaybetween the internal and the public data network. In the next step, thepre-NAT address of the internal computer is sent from the NAT addressserver to the internal computer. At the computer, said pre-NAT addressis introduced as the sender address into the protocol data of a datapacket by the respective service (e.g. Voice-over-IP). A data packet, inparticular with Voice-over-IP protocol data which now contains thepre-NAT address as the Voice-over-IP address, is then sent by theinternal computer to the NAT host. On said host, in the next step anorigin specification in the header of the data packet (IP header), whichspecification contains the IP address of the internal computer, can beexchanged for the allocated pre-NAT address. As a result, standardizedaddresses (pre-NAT addresses) are present in both the protocol data ofthe data packet and in the origin specification in the header of saidpacket for transparent use of the data packet in both the internal andthe public data network. Finally, the data packet is forwarded by theNAT host to an externally addressed computer.

[0011] The advantage of this solution is that the NAT host no longer hasto concern itself with the protocol data. The internal computer(s)(clients) can contact the NAT server in order to discover their futureNAT address already in advance. This is taken into account whenassembling the protocol data. The external computer in the public datanetwork now receives in the protocol data the correct reply address,which then goes to the NAT host and the latter then can deliver thereply correctly to the internal computer. The workload on the NAT hostis also reduced since it now no longer itself has to unpack the datapacket in accordance with the protocol used, but rather only exchangesthe origin specification in the header of the data packet (IP header) asbefore.

[0012] Advantageous developments of the method according to theinvention are disclosed in subclaims 2 and 3.

[0013] The data packet with the pre-NAT address from the externallyaddressed computer is preferably received by the NAT host. In the nextstep, using the current allocation data set, said host can exchange[lacuna], by exchanging a destination specification in the header of thedata packet (IP header), which specification corresponds to the pre-NATaddress, for the allocated IP address of the internal computer. In thenext step, the data packet is then forwarded by the NAT host to theinternally addressed computer. A particular advantage is conferred bythe fact that the usual exchange of destination specification in theheader of the data packet (IP header) by the externally addressedcomputer can be retained unchanged in the conventional framework. Byvirtue of the fact that transparent addresses are however now present inthe destination specification in the header of the data packet (IPheader) and in the protocol data transported with said data packet,misrouting of the data packet is precluded.

[0014] The NAT host preferably requests the current allocation data setfrom the NAT address server before the actual exchange of thedestination specification in the header of the data packet (IP header)of the external computer is performed. A duplicated assignment ofpre-NAT addresses to data packets that are not the result of a requestfrom the internal network into the public network is consequentlyavoided. The exchange of the destination specification in the header ofa data packet (IP header) sent from the public network into the internalnetwork can then be performed taking into account the current data setof already assigned IP addresses.

[0015] The object of the present invention is furthermore achieved by anarrangement for carrying out the method according to the invention.

[0016] In this arrangement, in addition to an NAT host which connects atleast one internal data network to a public data network, and at leastone internal computer which communicates or can communicate with apublic computer via the NAT host, an NAT address server is providedwhich is connected, or can establish a connection, to the internalcomputer and to the NAT host, and which serves to determine and allocatepre-NAT addresses to the IP address of an internal computer.

[0017] The determination of pre-NAT addresses includes here themanagement (adding, updating, deleting) of already assigned mappings inorder to avoid duplicated assignment of pre-NAT addresses to IPaddresses of internal computers. An address (pre-NAT address, IPaddress) is always understood here to refer to the IP number (e.g.141.23.209.105) together with a port number (e.g. 1245). Since the IPnumber of the NAT host is always the same, the mapping of the pre-NATaddress is resolved via the assignment of a port number to the IP numberof the NAT host, which finally references the IP address (IP number andport number) of the internal computer.

[0018] Advantageous developments of the arrangement according to theinvention are disclosed in claims 5 and 6.

[0019] In this arrangement the NAT address server preferably runstogether with the NAT host on the same computer. The NAT host can handlehere the functionalities of a gatekeeper, such as address translation,access control, bandwidth control, etc. of multimedia services. As aresult of the close linking of the NAT host and its special services tothe NAT address server on the same computer, in particular communicationprotocols over the data network are avoided. The NAT address server cantherefore quickly ascertain used or free IP_ addresses from the NAT hostbefore mapping to IP addresses of the internal computer is performed.

[0020] It is also especially advantageous if standardized protocols, inparticular SIP (Session Initiation Protocol) or H.323, are used totransmit speech, audio and/or video data packets over networkconnections. In conjunction with the arrangement according to theinvention, said protocols offer mechanisms for call forwarding, callsignaling, inclusion of supporting data, media control and supplementaryservices. H.323 is a proven protocol here which is used in particularthanks to its user friendliness, reliability and interoperability withPSTN (Public Switched Telephone Network). SIP is a new protocol whichguarantees scalability, flexibility and easy implementation when settingup complex systems.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] The invention is explained in greater detail below with referenceto an exemplary embodiment, where:

[0022]FIG. 1 shows an arrangement according to the invention for thepacket-oriented transmission of speech, audio, video and/or useful databetween an internal A and a public data network B according to the priorart, and

[0023]FIG. 2 shows an arrangement according to the invention for thepacket-oriented transmission of speech, audio, video and/or useful databetween an internal A and a public data network B.

DETAILLED DESCRIPTION OF INVENTION

[0024] To elucidate the problem solved by the invention, FIG. 1illustrates the problem once again in an arrangement according to theprior art. In this arrangement, an NAT host 100 having the IP number145.30.62.1 connects an internal A to a public data network B. Acomputer 120 having the IP number 141.23.209.105 is connected via theNAT host 100 to a further computer 130 having the IP number192.178.63.4. When communication is established between the computers120, 130, first of all a data packet 160 is sent from the internalcomputer 120 to the NAT host 100 over a network connection 142. The IPaddress (comprising IP number and port number) of the computer 120,namely 141.23.209.105:1245, is used as the origin specification 170 ofthe data packet. The protocol data includes the Voice-over-IP address180, which is identical to the IP address of the computer 120, used bythe specific service running on the computer 120.

[0025] On the NAT host 100, the origin specification of the data packet160, that is to say the IP address 141.23.209.105:1245 of the computer120, is now replaced by the publicly visible IP number 145.30.62.1 ofthe NAT host 100 together with an allocated port number, namely 48324.This port number 48324 can be used for mapping the modified originspecification onto the original origin specification, that is to say theIP address 141.23.209.105:1245 of the computer 120. During thismodification of the origin specification of the data packet 160, theVoice-over-IP address 180 however continues to remain141.23.209.105:1245 and consequently the same as the original IP addressof the computer 120.

[0026] Said data packet 160 is forwarded to the computer 130 over thenetwork connection 143. In turn said computer 130 receives the messageand uses for connection establishment the Voice-over-IP address presentfor the respective service, here Voice-over-IP, in the protocol data ofthe data packet 160. As a result, however, the sent back data packet 161of the computer 130 is addressed to the original IP address of thecomputer 120. With the destination specification 171 of the data packet161, that is to say the IP address 141.23.209.105:1245, the replytherefore goes either to an unknown IP address or to a different publiccomputer which is unable to do anything with this data packet. Theillustrated problem is therefore that an address translation takes placeat the NAT host 100 which, although it modifies the origin specification170 or destination specification 171 (the IP header) of the data packet160 or 161 respectively, it leaves untouched the relevant Voice-over-IPaddress 180 for the Voice-over-IP service used. However it isspecifically this service that addresses in the destinationspecification 171 of the returning data packet 161 the IP address thatwas stored for the service in the protocol data specified for it.

[0027]FIG. 2 now shows an arrangement according to the invention inwhich an NAT host 200 again connects an internal A to a public datanetwork B. The NAT host 200 having the IP number 145.30.62.1communicates bidirectionally with an NAT address server 210, withNAT-Host 200 and NAT address server 210 being connected to an internalcomputer 220 having the IP number 141.23.209.105 over networkconnections 240 and 242 respectively. The NAT host and NAT addressserver can also run on the same computer, but in order to illustrate thebasic functioning of the arrangement according to the invention, theyare shown separately here. The computer 220 is connected via the NAThost 200 to a further computer 230 having the IP number 192.178.63.4.

[0028] In order to preclude the problem described above, the computer220 first sends a request over the network connection 240 to the NATaddress server 210 for it to allocate a pre-NAT address 251 for its IPaddress 250, in this case 141.23.209.105:1245. The NAT address server210 first determines an as yet unallocated pre-NAT address 251, which itthen dispatches to the computer 220 over the network connection 240. Thepre-NAT address in the present exemplary embodiment is145.30.62.1:48324. The port number 48324 of the pre-NAT address can thusbe used for mapping onto the IP address 141.23.209.105:1245 of thecomputer 220. The IP number 145.30.62.1 of the pre-NAT address 251corresponds to the IP number of the NAT host 200 which is externallyvisible to the public network B.

[0029] In the next step, the computer 220 then sends a data packet 260to the NAT host 200 in whose protocol data the assigned pre-NAT address145.30.62.1:48324 is found as Voice-over-IP address 280. The originspecification 270 in the header of the data packet (IP header) 260 is bycontrast the IP address of the computer 220, namely 141.23.209.105:1245.An address translation of the origin specification 270 of the datapacket is in turn performed on the NAT host 200, during whichtranslation the IP address of the computer 220 is [lacuna] for thepre-NAT address 145.30.62.1:48324 allocated by the NAT address server210. Following the assignment of the pre-NAT address by the NAT addressserver 210, this current allocation of the pre-NAT address to the IPaddress of the computer 220 (mapping) is notified to the NAT host 200over the network connection 241 or is requested by the NAT host 200. TheIP address of the internal computer 220 can now be traced back via themapping of the port number 48324 to the IP address of the internalcomputer 220, namely 141.23.209.105:1245.

[0030] In a further step, the data packet 260 is sent by the NAT host200 to the external computer 230 over the network connection 243. Forsending back the data packet 261, the Voice-over-IP service used thereuses the Voice-over-IP address 280, which now corresponds to the pre-NATaddress 251, present in the protocol data as the destinationspecification 271. Said destination specification 271 is now145.30.62.1:48324.

[0031] This addresses the NAT host 200 where, on the basis of thecurrent mapping, the destination specification 271 in the header of thedata packet (IP header) 261 is exchanged for the actual IP address ofthe computer 220, that is to say the pre-NAT address 145.30.62.1:48324for the IP address 141.23.209.105:1245. The data packet 261 can thus bemapped by the NAT host 200 to the computer 220 and sent to the latter.

[0032] In particular the H.323 or SIP protocol is used in the protocoldata for the Voice-over-IP connection establishment. As a consequence,the communication between one or more internal computers (multipointconnection) and one or more external computers on the basis of speech,audio, video and/or useful data is also always ensured by thearrangement for carrying out the method according to the invention.

[0033] It should be noted at this point that all the above-describedelements are claimed as essential to the invention both individually forthemselves and in every combination, in particular the detailsillustrated in the drawings. Variations of these are known to personsskilled in the art.

1. A method for the packet-oriented transmission of data between aninternal network and a public data network, comprising: sending arequest of an internal multimedia computer to an NAT address server forthe provision of a pre-NAT address for an IP address of the internalcomputer; allocating a pre-NAT address to the IP address of the internalcomputer by the NAT address server; sending a current allocation dataset between the pre-NAT address and the IP address of the internalcomputer from the NAT address server to an NAT host; sending the pre-NATaddress of the internal computer from the NAT address server to theinternal computer; sending a data packet with protocol data that containthe pre-NAT address from the internal computer to the NAT host;exchanging an origin specification in the header of the data packet, thespecification containing the IP address of the internal computer, forthe allocated pre-NAT address; and forwarding the data packet by the NAThost to an externally addressed computer.
 2. The method as claimed inclaim 1, further comprising: receiving a data packet with the pre-NATaddress from the externally addressed computer by the NAT host;exchanging a destination specification in the header of the data packet(IP header), which specification contains the pre-NAT address, for theallocated IP address of the internal computer by the NAT host, using thecurrent allocation data set, forwarding the data packet by the NAT hostto the internally addressed computer.
 3. The method as claimed in claim1, further comprising: requesting the current allocation data set fromthe NAT address server by the NAT host.
 4. An arrangement for carryingout a method for packet-oriented transmission of data, the methodcomprising: sending a request of an internal multimedia computer to anNAT address server for the provision of a pre-NAT address for an IPaddress of the internal computer; allocating a pre-NAT address to the IPaddress of the internal computer by the NAT address server; sending acurrent allocation data set between the pre-NAT address and the IPaddress of the internal computer from the NAT address server to an NAThost; sending the pre-NAT address of the internal computer from the NATaddress server to the internal computer; sending a data packet withprotocol data that contain the pre-NAT address from the internalcomputer to the NAT host; exchanging an origin specification in theheader of the data packet, the specification containing the IP addressof the internal computer, for the allocated pre-NAT address; andforwarding the data packet by the NAT host to an externally addressedcomputer, the arrangement comprising: an NAT host connecting at leastone internal data network to a public data network, for exchanging thedestination and/or origin IP addresses of incoming and/or outgoing datapackets; at least one internal computer which communicates or cancommunicate with at least one public computer via the NAT host; and anNAT address server which is connected, or can establish a connection, tothe internal computer and to the NAT host for determining and allocatingpre-NAT addresses to the IP address of an internal computer.
 5. Thearrangement according claim 4, the method further comprising: receivinga data packet with the pre-NAT address from the externally addressedcomputer by the NAT host; exchanging a destination specification in theheader of the data packet (IP header), which specification contains thepre-NAT address, for the allocated IP address of the internal computerby the NAT host, using the current allocation data set; and forwardingthe data packet by the NAT host to the internally addressed computer,wherein the arrangement further comprises that the NAT address serverruns together with the NAT host on the same computer.
 6. The arrangementaccording claim 4, wherein standardized protocols are used, for thetransmission of speech, audio and/or video data packets over networkconnections.
 7. The method as claimed in claim 1, wherein thetransmitted data are speech, audio, video and/or useful data.
 8. Thearrangement according claim 6, wherein the standardized protocols areSIP or H.323.